Hot Topic, best known for its entertainment and music merchandise, apparel and accessories, notified customers Tuesday it had discovered a cyber attack that may have compromised personal information. In a notice, the company said it recently identified "suspicious login activity" to certain Hot Topic Rewards accounts. After an investigation, Hot Topic found that unauthorized parties launched automated attacks against the retailer's website and mobile app on several dates earlier this year using valid account credentials obtained from an unknown third-party source.
"Based on our investigation, we're not able to determine which accounts were accessed by unauthorized third parties as opposed to legitimate customer logins during the relevant time periods," Hot Topic wrote in the filing.
Hot Topic says it's been working with cybersecurity experts, deploying bot protection software, and "evaluating additional measures to further enhance the protection of your personal information and accounts." It also encouraged customers to reset passwords.
Total Retail's Take: The information that may have been exposed to hackers includes customers' full names, email addresses, birth dates, order histories, phone numbers, and shipping addresses.
Dror Liwer, the co-founder of cybersecurity company Coro, said the attack highlights how cybersecurity is a shared responsibility between retailers and customers.
“On one hand, if a customer uses the same credentials across multiple sites, they need to understand that they're increasing the likelihood of becoming a victim exponentially. On the other hand, it’s a retailer’s responsibility to deploy automated detection tools to identify anomalous login patterns to prevent credential abuse."
This sentiment was echoed by Carol Volk, executive vice president, BullWall, a global leader in ransomware containment.
“Retailers are in a tough spot when it comes to preventing credential stuffing attacks. For starters, as we see here, there's no such thing as a 'strong password,' because hackers aren't trying to guess our passwords, but leveraging stolen passwords. Whether your password is '1234' or an 18-character string with numbers and symbols, the bad guys already have it. The best way to safeguard against the use of compromised credentials is to require multifactor authentication (MFA). Unfortunately, retailers know that customers won't tolerate the friction of MFA just to order a T-shirt, a pizza or a movie ticket, so we remain at risk.”
Marie Albiges is the managing editor for Women in Retail, Total Retail, and Women Leading Travel & Hospitality. She is responsible for content development, management and production for the group. Marie is a former journalist, a travel aficionado, a French native and fitness enthusiast who lives in Philadelphia with her partner, stepdaughter and dog.Â